From owner-freebsd-security  Fri Aug 20 23:19:41 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail.xmission.com (mail.xmission.com [198.60.22.22])
	by hub.freebsd.org (Postfix) with ESMTP id 8941514BD3
	for <freebsd-security@freebsd.org>; Fri, 20 Aug 1999 23:19:35 -0700 (PDT)
	(envelope-from wes@softweyr.com)
Received: from [204.68.178.39] (helo=softweyr.com)
	by mail.xmission.com with esmtp (Exim 2.12 #1)
	id 11I4Tw-0007Ww-00; Sat, 21 Aug 1999 00:18:24 -0600
Message-ID: <37BE44AF.67A392E6@softweyr.com>
Date: Sat, 21 Aug 1999 00:18:23 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Cliff Skolnick <cliff@steam.com>
Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	jay d <service_account@yahoo.com>,
	Evren Yurtesen <yurtesen@ispro.net.tr>, freebsd-security@FreeBSD.ORG
Subject: Re: multiple machines in the same network
References: <Pine.BSF.4.10.9908202231130.68821-100000@lazlo.internal.steam.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Cliff Skolnick wrote:
> 
> On Fri, 20 Aug 1999, Wes Peters wrote:
> 
> > Ah hell, just buy a switch/router and get the whole mess in one box.  If you
> > buy the RIGHT one, you can get your wide area/internet link AND your firewall
> > all in the same box.  Anyone who thinks a router provides more security than
> > a VLAN switch doesn't understand how VLANs work.
> 
> With a nice router I can almost always set up filtering and policys on how
> ports exchange traffic.  It's really hard to create a good packet filter on
> a layer 2 device,

Who said anything about layer 2 devices?  Both the switches I referred to
are layer 3 devices with a wide range of network services available.  The
Xylan box offers Checkpoint FW-1 firewall and advanced routing if you want
to get really involved, though you'll need a model with more RAM and Flash.

> 4 Port Ethernet cards are less than $500 now so you
> can build the box with a really low per-port cost.  The box costs $2000 for
> 8 ports at about $250/port.

You obviously didn't follow the links.  The HP ProCurve I mentioned is $1880
for 40 switched 10/100 ports with layer 3 functionality and VLAN support.
That's $47 port port, much lower than your $250/port, with a LOT more performance
also.  The Tolly Group recently tested it and found it capable of sustaining
full wire speed on all 40 ports.  I'll just be your PCI-bus box isn't going
to hit 4 Gbps throughput.

> Sure there are some switches that do provide extensive filtering and even
> load balancing, but those are a usually a bit more than $250/port.

Not anymore.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
http://softweyr.com/                                           wes@softweyr.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message